WE CLAIM: 

1 . A method of metering the packet rate of a packet flow, comprising the 
steps of: 

a) configuring a packet rate limit for an ACL (access control list) interface, 
defined by a maximum number of packets P max acceptable in a time interval 

Trefreshi 

b) counting the number of packets P received at said ACL interface; and 

c) discarding all packets arriving at said ACL after P max has been reached. 

2. The method of claim 1 , wherein P max and T re f resh are configurable. 

3. The method of claim 1 , wherein step b) comprises: 

providing a packet rate limit counter at said ACL interface and initiating 
said counter at a value StartCount ; 

incrementing the counter with each received packet of said packet flow to 
provide a CurrentCount, and 

resetting said counter at said time intervals T refresh . 

4. The method of claim 3, wherein step c) comprises discarding all 
packets arriving at said ACL interface after said counter reached a saturation 
value CountSat. 

5. The method of claim 3, wherein step c) comprises: 

discarding all packets arriving at said counter after said counter reached a 
saturation value CountSat, and 

counting the number of the packets discarded since said counter reaches 
said saturation value until said Trefresh- 

6. The method of claim 5, wherein counting of the discarded packets is 
performed with said counter. 
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7. The method of claim 1 , further comprising placing the discarded 
packets in an extraction queue for further examination. 

8. For an access control list (ACL) unit provided at a router controlling 
which IP packets of a packet flow are allowed to enter an IP network based on a 
plurality of rules, a rate limiting ACL rule comprising: 

operating said interface according to an "accept and discard" action, when 
each packet is accepted or discarded based on a packet rate limit; 

operating said interface according to an "accept with extract" action when 
each packet is accepted or extracted based on said packet rate limit; and 

placing each extracted packet in an extraction queue for further 
examination. 

9. The method of claim 8, wherein said packet rate limit is defined as the 
maximum number of packets P max acceptable in a time interval T re f r esh. 

10. The method of claim 9, wherein said rate limiting rule further 
comprises operating said interface according to a "deny and discard" action, 
when each packet received at said counter during said time interval T re fresh, and 
which is in excess of said P maX} is denied access and discarded. 

1 1 . The method of claim 9, wherein said rate limiting rule further 
comprises operating said interface according to a "deny and extract" action, 
when each packet received at said counter in excess of said P max during said 
time interval T re f r esh, is denied access to said IP network and extracted for further 
examination. 

12. The method of claim 9, wherein said "accept and discard" action 
comprises: 

initiating a packet rate limiting counter to a CountStart value; 



15 



counting each packet with said counter to provide a CurrentCount value 
indicative of the number of packets received over said interface until saturation 
CountSatoi said counter is reached; 

allowing each said packet that has said CurrentCount less than said 
CountSat within said time interval Thresh; and 

discarding each said packet arrived at said counter after saturation of said 
counter and before the beginning of a next time interval T re tresh. 

13. A line card for a router connected to an IP network, comprising, for 
each interface on said line card: 

a packet forwarding ASIC with an access control list (ACL) unit provided 
for controlling which IP packets are allowed to enter or exit an IP network based 
on a plurality of rules, 

a packet rate limit counter in said ACL unit for measuring the packet rate 
of a packet flow; and 

a housekeeping processor for operating said counter to implement an 
access control rate limiting rule for said packet flow. 

14. The line card of claim 13, wherein said counter comprises a packet 
counter field for counting each packet received in said packet flow, and a state 
register field for determining the action to be performed on said packet. 

15. The line card of claim 13, wherein said counter comprises a 13-bit 
packet counter field for counting each packet received in said packet flow, and a 
3-bit state register field for determining the action to be performed on said 
packet, wherein said state register occupies the most significant bits of each said 
counter. 

16. The line card of claim 13, wherein said housekeeping processor 
comprises means for resetting said packet counter field at a preset interval of 

time Trefresh- 
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17. The line card of claim 13, wherein said housekeeping processor 
comprises means for presetting said packet counter field at a start value 
StartCount each given interval of time T re fresh- 

18. The line card of claim 13, wherein said housekeeping processor 
comprises means for setting said state register field to an action value that 
determines the operation state of said ACL unit. 

1 9. The line card of claim 1 8, wherein said housekeeping processor sets 
said action value to indicates one of an "accept and discard" and an "accept with 
extract" action, when said packet counter field counts each incoming packet until 
saturation of said counter. 

20. The line card of claim 19, wherein said ACL unit sets said action value 
to indicates one of an "discard" and an "extract" action, when said counter field is 
saturated, while said ACL unit denies access to each said packet. 

21 . In an ACL unit provided at a router for controlling which IP packets 
are allowed to enter/exit an IP network based on a plurality of rules, a counter for 
measuring the packet rate of a packet flow, comprising: 

a packet counter field for counting each packet in said packet flow; and 
a state register field for determining the action to be performed on each 
said packet. 

22. The counter of claim 21 , wherein said state register field occupies the 
3-most significant bits of said counter and said packet counter field occupies the 
reminder of 13 bits. 
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